Malwarebytes fails to complete (aborts) still lots of bad stuff happening

I am trying to clean up a pc for a friend (big mess)and need to work only in SAFE MODE due to security popups, etc. Had to fix the registry just to allow EXE files to execute. Downloaded MB and it fails so I aborted it when it found about 50 problems and cleaned them. Now it runs clean until it aborts. It is happening in TEMP files and when I try to go in to delete them explorer dies.
I did manage to get an OTS log… see attached.

Thanks

EDIT: Running Combofix now…it found rootkit issues …(windows\system32\kdqyw.exe)… and is rebooting… I will attach logs when it completes

attach ComboFix.txt log here

Things better after Combofix… I was able to delete the TEMP files and will rerun MB.

Here is the Combofix log attached…

I also noted that I need to update to SP3 … will do that shortly.

Thanks

Download and install this program MCShield


http://img402.imageshack.us/img402/1096/myfile350536.jpg

Save Theme Settings

Connect the USB flash

Please wait for the program scans the flash

Copy/paste the contents of the log in your next reply.
[/quote]


Open notepad and copy/paste the text present inside the code box below:

File::
c:\windows\system32\itcoe.sys

Registry::
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon]
"Taskman"=-
[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{91351878-d271-11db-b084-000cf1b8eb68}]

Driver::
itcoe

DDS::
uStart Page = hxxp://softwarereferral.com/jump.php?wmid=6010&mid=MjI6Ojg5&lid=2

Save this as CFScript.

http://img213.imageshack.us/img213/1218/cfscript1.gif

Close all browser windows and refering to the picture above.

Referring to the screenshot above, drag CFScript.txt into ComboFix.exe.
ComboFix will will re-run. When finished, it will produce a log for you.
Attach the contents of the log in your next reply. (typical location: C:[b]ComboFix.txt[/b] )

I just finished MB … here is the log… it still founds some stuff.

I think MB already deleted this… should I run your fix anyway ?

Thanks

EDIT: I dont have a flash drive why do the MCshield thing?

EDIT: I dont have a flash drive why do the MCshield thing?

because the logs show some traces of worms that is usually transmitted via USB.

Skip this step if you wish…

I was finally able to get Avast downloaded and it found 23 problems that were all moved to chest… doing an Avast boot scan now. Looks like things are much better.

Thanks for all your help.

I was finally able to get Avast downloaded and it found 23 problems that were all moved to chest.... doing an Avast boot scan now. Looks like things are much better.
Why not just wait for me untill I analyze the system ? :D

Have you done what I wrote for the CFScript?
…attach fresh CF log made after CFScript.
note: first temporaly disable your AntiVirus.

Running now… seems to be going very slow… I will attach files here when completed. (I am on a different PC right now)

Ok. :wink:

Here is the new combofix log

The CF log seems clean and there is no traces of active malware. Your PC is clean.

It is necessary to uninstall Combofix
Start >> Run

Combofix /Uninstall

Enter. Then do the following. Create a registry file.

Open Notepad and Copy/Paste everything from the Code box into Notepad:


Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"avast5"="\"C:\\Program Files\\Alwil Software\\Avast5\\avastUI.exe\" /nogui"
* Go to[b] File > Save As[/b]
* Save File name as [b]nogui.reg[/b]
* Change Save as Type to [b]All Files[/b] and save the file to your [b]Desktop[/b]
* double-click [b]nogui.reg[/b] on your Desktop
* When it asks if you want to merge the info to the registry, hit YES/OK
  Reboot computer

that’s it…

Will do.

Thanks for you help

You’re welcome. :wink: